Ever think about hacking into the U.S. government’s data system? Wanna try?
If you can develop a network signature for an intrusion detection system (detect hacking), or perform forensic analysis of a compromised endpoint (detect hacking before it collapses the system), the National Security Administration wants you to try.
Registration is open for the 2017 Codebreaker Challenge. The contest asks college students to use reverse engineering or the ability to take apart code and fix from scratch a fictional break-in of a government data system. The scenario helps the Department of Homeland Security disarm an improvised explosive device using cybersecurity skills to prevent civilian casualties.
“Reverse engineering is a crucial skill for those involved in the fight against malware, advanced persistent threats, and similar malicious cyber activities,” the NSA website says. “As the organization tasked with protecting U.S. government national security information systems, NSA is looking to develop these skills in university students (and prospective future employees).”
Each year, undergraduate and grad students who compete to master six tasks will receive a small token of appreciation from the NSA for being among the first 50 finishers, and possible credit from the student’s college or university.
- Setup a test instance of the system (Task 0)
- Analyze suspicious network traffic (Task 1)
- Develop a network signature for an intrusion detection system (Task 2)
- Analyze critical system components for vulnerabilities (Tasks 3 and 4)
- Perform forensic analysis of a compromised endpoint (Task 5)
- Craft an exploit for the botnet server and devise a strategy to clean the infected endpoints (Task 6)
Registration for students with a valid email address ending in .edu started September 15 and continues until December 31.
This year, some have gotten close, but no one has completed all six tasks, so far, says the Codebreaker Challenge website. As of September 25, students from 335 colleges and universities have tried.
The most participants in 2016 came from Georgia Institute of Technology in Atlanta, with 149 students taking the challenge, but only five completing all six tasks, which also ranks first for most successful participants.
In addition to Georgia Tech, three students from Carnegie Mellon University in Pittsburgh, completed every task; as well as three from the U.S. Naval Academy in Annapolis, Md. one from University of Maryland, College Park, one from Naval Postgraduate School in Monterey, Calif., one from Lesley University in Cambridge, Mass., and one from Williams College in Williamstown, Mass.
Last year, 3,325 students from 481 colleges and universities attempted to finish all six tasks; only 15 students were successful. Robert Xiao from Carnegie Mellon University in Pittsburgh completed every task in just under 18 hours, which was nearly two and a half days quicker than the next fastest finisher.
“I find computer security to be a fascinating subject, and I was really lucky to be accepted at Carnegie Mellon, which has an excellent computer security reputation,” said Xiao, who was born and raised in Canada.
Carnegie Mellon ranks in the top 20 for cybersecurity schools in the U.S. and is known nationwide as a pipeline for future computer security experts. Xiao is on the Plaid Parliament of Pwning (PPP) hacking team at CMU and says the team, “participates in worldwide computer security competitions and does very well.”
That’s not an understatement. In fact, the PPP hacking team has won eight straight virtual capture-the-flag competitions at New York University’s Cyber Security Awareness Week and won the World Series of Hacking college competition four of the past five years.
The 2017 Codebreaker Challenge “is very challenging and covers a wide range of subjects ... but it takes a lot of time and effort at first,” Xiao says. “Don’t get discouraged if it seems too hard, that’s totally normal at first.”
Xiao is doing a Ph.D. in what he calls “human-computer interaction,” in which he wants to merge computer security and human interaction.
“The subject of ‘usable’ human-friendly security is really important and only a handful of people are thinking really hard about it,” he said. Essentially, Xiao wants to expand the use of computer security for those who might not be the most adept at using computers; in other words, make computer security easier for the everyday user.
Instructions and storyline for this year's challenge can be found on the Codebreaker Challenge website.
Can you crack the code?